RSA: Report Reveals 7 Cloud Computing "Sins"

The Cloud Security Alliance (CSA) on Monday released the results of a security study identifying the "seven deadly sins" of cloud computing.

"Cloud computing represents one of the most significant shifts in information technology many of us are likely to see in our lifetimes," the report states, "but the implications of implementing common security controls on cloud platforms is not widely known, and many administrators and security officials ignore the fact that they no longer control their own IT resources once they enter the cloud. Security too often is taken on trust."

"It has nothing to do with computing," said Chris Whitener, chief security strategist for Hewlett-Packard, which commissioned the report. "It's human nature." Whitener said HP asked for the study, Top Threats to Cloud Computing, because the growing complexity of cybersecurity is outstripping the ability of its customers to manage it, and cloud computing is a particularly cloudy environment for many of them. "We're in that business in a big way now," he said

CSA founder and executive director Jim Reavis called cloud computing a combination of established technology along with new business practices and economic models. "It is the whole ecosystem that is the problem, although much of the technology is mature," Reavis said. There is little understanding among security auditors how to approach this new environment, how best practices should be used or how regulations apply to the environment, he said.

Although there is a great deal of interest in cloud computing and many organizations are engaged in pilot programs and have aggressive adoption strategies, actual adoption has been fastest with small startup companies that opt to obtain computing services rather than invest scarce capital in infrastructure, Reavis said. "I would characterize it as in the early adopter stage for larger enterprises," he said, "and a little beyond that for smaller, emerging organizations."

The top threats report represents a consensus of security professionals and researchers and is intended to complement recommendations for best security practices contained in CSA's Security Guidance for Critical Areas of Focus in Cloud Computing, initially released in April 2009 and revised in December. The report contains descriptions, recommendations for remediation, and assessments of impact for each of the identified threats. The threats themselves are for the most part not new or unique to the cloud but pose significant risks in that environment. The top seven threats, in no particular order, are:

Abuse and nefarious use of cloud computing. What happens when the bad guys move into the cloud? "There is so much computing power that can be turned on with a credit card, and we know they are good at stealing credit cards," Reavis said. Cloud computing could help to create next-generation botnets that are more powerful and harder to find and kill because they exist in a virtual environment.

Insecure application programming interfaces. The reuse and combination of existing code to rapidly build applications often sacrifices quality assurance for agility and quick turnaround, resulting in insecure APIs. "This is an area very ripe for exploitation," Reavis said.

Malicious insiders. This is an old threat, but with the rapid growth of cloud computing there often are gaps in background checking as service providers rush to fill positions.

Shared technology vulnerabilities. Inadequate management of virtual machines can allow attackers to enter through back doors and, once inside, to move laterally through the closed environment.

Data loss and leakage. Security controls to protect data housed in the cloud are under-used, and it often is hard to apply these controls in a new environment. There is a general lack of granularity in the ability to monitor and control what is happening.

Account, service and traffic hijacking. The cloud is vulnerable to man-in-the-middle attacks and other types of hacking and there are some examples seen already of users being redirected to malicious sites. There is a lot of inherited trust between cloud components and a lack of strong, two-factor authentication.

Unknown risk profile. The unknown unknown. There is a lack of transparency on the part of service providers and customers often do not know the configuration of the systems or the patch levels of software on which their applications will be residing.

Whitener said he was not surprised by the findings in the report. "There will always be malicious insiders and poor programming interfaces" he said. "That will be with us for a long time."

About the Author

William Jackson is the senior writer for Government Computer News (GCN.com).